From 8ebe1fb5e8ded305e9f9dc87308939541c40aafe Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Tue, 6 Jun 2023 21:41:19 +0000
Subject: [PATCH] mention cfssl.sh in the default-certificate warning, and
 improve documentation inside cfssl.sh

---
 contrib/cfssl.sh      | 38 +++++++++++++++++++++++++++++++++-----
 copyparty/__main__.py |  3 ++-
 2 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/contrib/cfssl.sh b/contrib/cfssl.sh
index 03c9d081..6620f821 100755
--- a/contrib/cfssl.sh
+++ b/contrib/cfssl.sh
@@ -1,14 +1,40 @@
 #!/bin/bash
 set -e
 
+cat >/dev/null <<'EOF'
+
+this script generates a new self-signed TLS certificate and
+replaces the default insecure one that comes with copyparty
+
+as it is trivial to impersonate a copyparty server using the
+default certificate, it is highly recommended to do this
+
+this will create a self-signed CA, and a Server certificate
+which gets signed by that CA -- you can run it multiple times
+with different server-FQDNs / IPs to create additional certs
+for all your different servers / (non-)copyparty services
+
+EOF
+
+
 # ca-name and server-fqdn
 ca_name="$1"
 srv_fqdn="$2"
 
-[ -z "$srv_fqdn" ] && {
-	echo "need arg 1: ca name"
-	echo "need arg 2: server fqdn and/or IPs, comma-separated"
-	echo "optional arg 3: if set, write cert into copyparty cfg"
+[ -z "$srv_fqdn" ] && { cat <<'EOF'
+need arg 1: ca name
+need arg 2: server fqdn and/or IPs, comma-separated
+optional arg 3: if set, write cert into copyparty cfg
+
+example:
+  ./cfssl.sh PartyCo partybox.local y
+EOF
+	exit 1
+}
+
+
+command -v cfssljson 2>/dev/null || {
+	echo please install cfssl and try again
 	exit 1
 }
 
@@ -59,12 +85,14 @@ show() {
 }
 show ca.pem
 show "$srv_fqdn.pem"
-
+echo
+echo "successfully generated new certificates"
 
 # write cert into copyparty config
 [ -z "$3" ] || {
 	mkdir -p ~/.config/copyparty
 	cat "$srv_fqdn".{key,pem} ca.pem >~/.config/copyparty/cert.pem 
+	echo "successfully replaced copyparty certificate"
 }
 
 
diff --git a/copyparty/__main__.py b/copyparty/__main__.py
index 239ef024..6e83bb63 100755
--- a/copyparty/__main__.py
+++ b/copyparty/__main__.py
@@ -310,7 +310,8 @@ def ensure_cert(al: argparse.Namespace) -> None:
     try:
         if filecmp.cmp(al.cert, cert_insec):
             lprint(
-                "\033[33musing default TLS certificate; https will be insecure."
+                "\033[33musing default TLS certificate; https will be insecure -- please see\n"
+                + "https://github.com/9001/copyparty/blob/hovudstraum/contrib/cfssl.sh"
                 + "\033[36m\ncertificate location: {}\033[0m\n".format(al.cert)
             )
     except: